SSH Commands

Secure/Setup cPanel/WHM

READ ALL THIS:

This tutorial is based on the release version of cpanel. With updates is is bound to change with time.

This setup is based on security, performance and tries to take consideration to new setups as well as existing setups. If a setting isn't mentioned here you are safe to make sure your own setting. This is also only a guide. If you are a web hosting company and DO offer Front Page services then naturally you need to ensure it is turned on in the Feature Lists - however you should make sure its only turned on in packages where you are offering that feature. Use common sense and always think of security first.

Form: For your convenience and for hard copy records you can use the check list provided and print afterwards.

Server IP Address

Server Configuration

Basic cPanel/WHM Setup

Set a Server Contact E-Mail Address

Change Root Password

Reset Root Password

Server Time

Set correct time zone for syncing. Ensures time is setup for updates to be setup later

Tweak Settings

Untick: Allow users to Park/Addon Domains on top of domains owned by other users

Untick: Allow Creation of Parked/Addon Domains that are not registered

Tick: Prevent users from parking/adding on common internet domains

Blackhole: Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time

Tick: Email users when they have reached 80% of their bandwidth

60: Number of minutes between mail server queue runs (default is 60)

Tick: Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

50: The maximum each domain can send out per hour

Tick: Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)

120: The number of times users are allowed to check their mail using pop3 per hour. Zero is unlimited

Tick: Attempt to prevent pop3 connection floods

Tick: Mail Box Usage Warnings

Untick: Disable Suspending accounts that exceed their bandwidth limit

Tick: Disk Space Usage Warnings

Untick: FormMail-clone cgi

Tick: Allow Sharing Nameserver Ips

Untick: Disable Disk Quota display caching

Tick: Display Errors in cPanel instead of logging them to /usr/local/cpanel/logs/error_log

Untick: Do not warn about features that will be depreciated in later releases

Untick: Use jailshell as the default shell for all new accounts and modified accounts

Tick: Prevent installation of cPanel addon scripts that have be altered

Update Config

cPanel/WHM Updates: Automatic (RELEASE tree)

cPanel Package Updates: Automatic

Security Package Updates: Automatic

Networking Setup

Hostname

Set Valid Hostname. Set a name that describes the server's role.

Resolver Configuration

Set Resolver IP addresses - Run a WHOIS on the IP addresses already present to check if the provider has already entered these values. If not, contact your provider for the resolver IP addresses.

Security

Fix Insecure Permissions (Scripts)

Run - Only have to click link in nav to run it

Manage Wheel Group Users

WARNING: Only proceed with this one if you have disabled direct root login with SSHRemove all users who shouldn't have su (switch user) access. Generally this should include root if direct root login is disabled for security.

Manage Wheel Group Users

Run - Only have to click link in nav to run it

Quick Security Scan

Run - Only have to click link in nav to run it. Everything should have [FAILED] next to it.

Resellers
(Needs to be setup before anyone is added. If not, the default settings have to be overwritten or an ACL List made and set on creation of a reseller account)

Edit Privileges/Nameservers

Untick: Enabling/Disabling FrontPage Extensions

Untick: Turn an account into a demo account

Untick: Allow Creation of Packages with Shell Access

Untick: Allow creation of packages with Addon Domains

Untick: Allow creation of packages with Parked Domains

Tick: Disallow creation of accounts with packages that are not global or not owned by this user

Tick: Never allow creation of accounts with shell access

Untick: All Features (warning: root access)

Service Configuration

Enable/Disable SuExec

Enable

Exim Configuration Editor

Untick: Always set the Sender: header when the sender is changed from the actual sender

Tick: Verify the existance of email senders

Tick: Use callouts to verify the existance of email senders

Tick: Discard emails for users who have exceeded their quota instead of keeping them in the queue

FTP Configuration

Ensure "pure-ftpd" is in use - Change otherwise

Anonymous Ftp: Disabled

Service Manager

For performance untick enabled and monitoring on:

entropychat
imap
interchange
melange

Only tick the monitor option for things you want customers to see. Best to reduce to cause less confusion. Try and stick to minimum like FTP, HTTPD, BIND and MYSQL.

Account Information

List Parked Domains

Check for any unauthorised domains

List Suspended Accounts

Check and become familiar with any suspended accounts

Show Accounts over Quota

Check and become familiar with any accounts over quotas

View Bandwidth Usage

Check and become familiar with any accounts over limits

Account Functions

Manage Shell Access

Disable all accounts

Modify Suspended Account Page

Change to:

<b>Attention: This account has been suspended. Please contact your provider for more information</b>

Skeleton Directory

Check this path, then SSH into the server and setup the directory. Remove any rubbish and leave only what is needed. Ensure that no Front page Server Extensions are present.

FrontPage

Uninstall FrontPage Extensions

Uninstall any known installations of these. Note: Doing so will rename the .htaccess file in the document root on the account. Only do this is you know it installed and want it removed. You may have to login to the account, rename the .htaccess.986984278 (or something similar) back to .htaccess and manually remove any FrontPage rubbish from the file.

Untick anything giving a rank of 1 - these are the most insecure or ones that are going to give hell.

Addon Scripts (Deprecated)

Uninstall anything in here - these are "handy" but in the end cause trouble especially if they are allowed to get out dated.

Modify cPanel/WHM News

Global cPanel News:

<p><br><b>Account Tips:</b>
<ul>
<li>Set all unrouted mail or your default email address on all domains and subdomains to <i><b>:blackhole:</b></i> to avoid spam attacks against your account.</li>
<li>Set a contact email address that is not located on this server so you can be contacted in emergencies (eg. gmail or hotmail).</li>
<li>Ensure Anonymous FTP Access is turned off on your account.</li>
<li>Disable directory listing on your public_html folder to secure your files.</li>
<li>Use a strong password and change it regularly.</li>
<li>Back up your data regularly. Customers are responsible for backing up their own data.</li></ul>
<p>If you need help with any of the above, please contact our support department.</p>

cPanel News (displayed in all of your customers cPanels):

Welcome to $company_name. For all your support needs, <a href="http://www.support-url-here.com" target="_blank">contact our helpdesk</a> and we'd be glad to help.

Synchronize FTP Passwords

Run

Add-ons

Addon Script Manager

Check for any out of date install that are open to attack

Configure cPanel Cron Times

Configure to a time that know that your server load is low. The default may be okay, but this needs to be checked.

Configure ClamAV Scanner

Tick: Scan Entire Home Directory

Tick: Scan Mail

Tick: Scan Public FTP Space

Tick: Scan Public Web Space

Mod Security

Press Edit button

Press Default button

After you have finished the above run, under Security go back and run Scan for Trojan Horses.